Federal Court of Appeal overturns Federal Court decision and finds that Facebook breached obligations under federal privacy law

In Privacy Commissioner of Canada v. Facebook Inc.¹, the Federal Court of Appeal overturned a 2023 Federal Court decision, holding that Facebook breached the Personal Information Protection and Electronic Documents Act (PIPEDA) by failing to obtain meaningful consent from users when disclosing data to third parties and failing to adequately safeguard user data prior to disclosure.

What you need to know

• The Federal Court of Appeal emphasized that meaningful consent under PIPEDA hinges on the perspective of the reasonable consumer using that product or service.
• Even if consumers sign contracts consenting to data practices, the Court suggests that consenting to a privacy policy alone may not be sufficient to establish “meaningful consent” under PIPEDA.
• Intermediaries disclosing information to third parties may be required to take steps to safeguard that data and confirm the adequacy of consents obtained by third parties, in line with the reasonable expectations of their own consumers. In addition, the government and regulators will need to address these obligations in the upcoming open banking framework, as financial institutions will not have control over data transfer recipients or consents.
• Due to the constantly evolving nature of technology and expectations around privacy, businesses should consider both applicable legislation and regulatory guidance when performing risk assessments of data-sharing practices.

The decision

Background and ruling

The case arose after the Office of the Privacy Commissioner of Canada (OPC) investigated Facebook for its data practices surrounding third-party applications. In 2007, Facebook launched “Platform”, which allowed third parties to build applications on Facebook to be used by Facebook users. It also enabled third parties to receive user data. Early versions of these interfaces allowed Facebook users to consent to sharing their own data as well as the data of their Facebook friends.

The OPC investigated an incident concerning a third-party application called “thisisyourdigitallife” (TYDL), a personality quiz, which collected user and friend data and sold it to Cambridge Analytica. In a 2019 report, the OPC found that Facebook breached PIPEDA by failing to obtain valid and meaningful consent for this disclosure to third-party applications, and by failing to adequately safeguard the personal information it had collected.

The OPC commenced proceedings at the Federal Court following its investigation. The Court dismissed the application, citing a lack of sufficient evidence. The OPC appealed.

The Federal Court of Appeal overturned the Federal Court’s decision. It held that the lower court erred in its legal analysis of meaningful consent and data safeguarding. It issued a declaration that Facebook’s practices breached PIPEDA, providing 90 days for the parties to return to the Court to address the appropriate remedy.

Meaningful consent

The Court analyzed whether meaningful consent had been obtained from both the Facebook users directly using the third-party applications and from those users’ friends. It found that the latter group had no opportunity to meaningfully consent to the disclosure of their data, as they were never presented with the third-party privacy policies before their data was disclosed. While Facebook’s own Data Policy noted that user data could be shared with third parties, the Court found that the Policy was too “high-level” and provided only “mundane” examples of these practices². Therefore, Facebook could not rely on these provisions to prove meaningful consent was obtained.

For users directly engaging with third-party applications, the Court analyzed Facebook’s Terms of Service and Data Policy to determine whether Facebook’s own documents provided a basis for obtaining a user’s meaningful consent. The Court said that on a literal reading, the user could be understood to have been warned of the risks and to have consented. However, the Court found that the length and complexity of the documents, coupled with the fact that the provisions on disclosure were in the Data Policy that was incorporated by reference into the Terms of Service rather than as a standalone document requiring a user’s signoff, did not constitute the “kind of active, positive and targeted consent” contemplated under PIPEDA³.

The Court also said that the same heightened scrutiny applied to contracts of adhesion should apply to the clauses of Facebook’s Data Policy “that purport to authorize broad future disclosures of data, potentially to bad actors”⁴. In the Court’s view, the nature of the contract “acts as an interpretative prism that limits the effect of the relevant provisions”⁵. While the Court appears to set a higher bar for meaningful consent, the appropriateness of this lens may be questionable with respect to a policy—not a contract—related to a service that is provided free of charge where data is the main commodity.

Moreover, the Court appears to criticize Facebook’s Data Policy for, on the one hand, its length and inaccessibility, and on the other, for its failure to inform individuals that “third-party apps could be bad actors with intentions to ignore Facebook’s policies or local privacy laws”⁶. While the contradiction between these points can be reconciled, the Court did not do so. 

The role of the intermediary in disclosure

Although Facebook itself did not sell the user data, it acted as an intermediary in the relationship between the user and the third-party application. The Court said that the reasonable user would expect Facebook to have “robust preventative measures” in place to safeguard user data.

The Court also addressed the degree to which Facebook could rely on the third party’s obligation to obtain consent. The Court said that while organizations can rely on third-party consent to disclose data, those organizations must take reasonable measures to ensure the consent obtained by the third party is meaningful.

The Court appears to take the view that Facebook’s users should have been warned that third-party apps could potentially be bad actors with intentions to ignore Facebook’s privacy policies or local law. It is unclear whether this finding is specific to Facebook or could be a requirement on other organizations.

Safeguarding

The Court further found that Facebook breached PIPEDA by failing to adequately safeguard user data. Third-party applications that signed up to Platform signed a Platform Policy and Terms of Service with Facebook before they were granted access to Platform and to user data. Facebook also required that third parties maintained a privacy policy, and that they refrained from selling and/or purchasing data.

The Court referred to a series of factors relevant to its finding on safeguarding: (i) Facebook did not review the third-party privacy policies and merely provided links to those documents to its users; (ii) Facebook did not act on “red flags” from TYDL when the app requested continued access to unnecessary user data; (iii) Facebook did not notify its users, nor did it ban TYDL, when it learned of the data scraping and sale. 

The role of the OPC and other regulators

Facebook raised two defences: officially induced error and promissory estoppel. In 2010, the OPC issued recommendations to Facebook on its consent practices and Facebook complied. The OPC sent a letter indicating it was satisfied with Facebook’s conduct and encouraged Facebook to continue working on its privacy obligations. Facebook argued that its compliance with these recommendations should bar a finding of non-compliance.

The Court, while finding that both claims failed, highlighted the intricacies of the relationship between the OPC and businesses complying with PIPEDA. It cautioned public officials like the OPC from making “broad and unqualified” statements in areas where the relationship between technology and privacy interests evolves rapidly. Nevertheless, the Court concluded that as applications under PIPEDA are de novo proceedings, the OPC’s report was afforded no deference and compliance with PIPEDA is paramount under the law, not compliance with the OPC’s recommendations.

Implications for businesses

A high bar for meaningful consent

The Court reemphasized that consent under PIPEDA is not purely contractual consent. Businesses cannot simply rely on contractual provisions signed by individuals to ground meaningful consent in this area—attention must be paid to the greater context and to the perspective of the “reasonable person” consenting.

Similarly, consent to a privacy policy alone may not be sufficient to constitute meaningful consent under privacy laws. Depending on the practice and potential risks to individuals, specific elements may need to be brought directly to the individual’s attention (such as by making certain terms prominent when consent is first obtained or via a “just in time” consent or reminder later in the relationship).

The Court’s criticism of the complexity of privacy policies also points to a broader trend of ensuring that language used to obtain consent (whether in a privacy policy or elsewhere) is accessible. However, brevity should not always be favoured if it means that more sensitive practices are not plainly described.

To help avoid further (and unwarranted) judicial application of consumer protection doctrine to privacy policies, businesses should consider whether the tone, structure and title of their privacy policies reflect that they are explanations of practices and guides on how to exercise choices and rights, rather than consumer contracts.

Obligations on data intermediaries

This case suggests that intermediaries—in this case, platforms that allow third parties to collect personal information and disclose it to fourth parties—cannot take a “hands-off” privacy approach to this role. The Court indicates that organizations are obligated to take steps to:

• confirm the adequacy of consent obtained by third parties to whom the organization is disclosing personal information,
• exercise diligence in disclosing personal information to third parties, and
• inform individuals of the risks of disclosing personal information to third parties.

These obligations may be particularly applicable for large digital platforms and the online advertising industry. It is less likely that the concerns raised by the Court will have a significant impact on industries like healthcare and medical technology, where third-party recipients are generally rigorously vetted, and data paths are more transparently linked to core services.

While the same could be said for the current state of the financial services industry in Canada, the government and regulators will need to be mindful of this case while designing and implementing the open banking (consumer-directed finance) regime in the near future. In particular, the framework will need to address the Court’s concerns regarding the adequacy of consent, reliability of receiving parties, and consumer transparency, given that disclosing institutions will be unable to do so—or prohibited from doing so—directly.